Hopefully I am wording all of this correctly.  We have a web service protected by Siteminder.  We have token services which I can successfully retrieve a site cookie for.  I've then tried supplying this cookie by setting a header of "Cookie" with a value of "SMSESSION=" the cookie I got from our token service.  Its not working for me.  When the REST server is set to default or always follow redirects I get errors of too many redirects or circular redirects.  When I set it to not follow any redirects it seems those errors stop.

The web service is http only.  I'm supplying a base64 encoded user/pass and that seems to get me past the first level of protection but then I don't seem to get much further.  When my request includes the cookie I got from siteminder I get a 302 page has moved error I think.  In the header of the response I see another siteminder cookie.  If I try my request again with that cookie from the header I get some message about the user being denied.  I'm wondering if I'm setting the header correctly or missing some other piece.  I'm just doing simple gets.  I can hit the pages I'm trying to get directly from a web browser so I know I have access if everything gets passed through correctly.  Hoping someone out there has done this successfully with vRO.